Navigation

You can also pass the token in as a paramater in the query string instead of as
a header or a cookie (ex: /protected?jwt=<TOKEN>). However, in almost all
cases it is recomended that you do not do this, as it comes with some security
issues. If you perform a GET request with a JWT in the query param, it is
possible that the browser will save the URL, which could lead to a leaked
token. It is also very likely that your backend (such as nginx or uwsgi) could
log the full url paths, which is obviously not ideal from a security standpoint.

If you do decide to use JWTs in query paramaters, here is an example of how
it might look:

fromflaskimportFlask,jsonify,requestfromflask_jwt_extendedimport(JWTManager,jwt_required,create_access_token,)# IMPORTANT NOTE:# In most cases this is not recommended! It can lead some some# security issues, such as:# - The browser saving GET request urls in it's history that# has a JWT in the query string# - The backend server logging JWTs that are in the url## If possible, you should use headers instead!app=Flask(__name__)app.config['JWT_TOKEN_LOCATION']=['query_string']app.config['JWT_SECRET_KEY']='super-secret'# Change this!jwt=JWTManager(app)@app.route('/login',methods=['POST'])deflogin():username=request.json.get('username',None)password=request.json.get('password',None)ifusername!='test'orpassword!='test':returnjsonify({"msg":"Bad username or password"}),401access_token=create_access_token(identity=username)returnjsonify(access_token=access_token)# The default query paramater where the JWT is looked for is `jwt`,# and can be changed with the JWT_QUERY_STRING_NAME option. Making# a request to this endpoint would look like:# /protected?jwt=<ACCESS_TOKEN>@app.route('/protected',methods=['GET'])@jwt_requireddefprotected():returnjsonify(foo='bar')if__name__=='__main__':app.run()